Chat now with support
Chat mit Support

Safeguard for Sudo 7.3 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard for Sudo Variables Safeguard for Sudo programs Installation Packages Supported Sudoers directives Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

pmlogxfer

Syntax
pmlogxfer -h | -v
Description

Transfers event logs and I/O logs after an off-line policy evaluation has occurred. pmlogxfer is initiated by pmloadcheck when there are log files queued for transfer from a Sudo Plugin host to the server.

Note that pmlogxfer is not intended to be run directly, it is normally invoked by pmpluginloadcheck at a regular interval (every 30 minutes by default).

Options

pmlogxfer has the following options.

Table 31: Options: pmlogxfer
Option Description

-h

Displays usage information.

-v

Displays the version number of Safeguard for Sudo and exits.

Files

Directory for offline log files:

/var/opt/quest/qpm4u/offline
Related Topics

pmpluginloadcheck

pmmasterd

Syntax
pmmasterd [ -v ]| [ [ -ars ] [ -e <logfile> ] ]
Description

The Safeguard for Sudo master daemon (pmmasterd) is the policy server decision-maker. pmmasterd receives requests from pmrun or the Sudo Plugin and evaluates them according to the security policy. If the request is accepted, pmmasterd asks pmlocald or the Sudo Plugin to run the request in a controlled account such as root.

A connection is maintained between pmmasterd and the Sudo Plugin for the duration of the session. This also occurs between pmmasterd and pmlocald, if keystroke logging is enabled. When the pmmasterd connection is maintained throughout the session, keystroke and event log data is forwarded on this connection.

If keystroke logging is not enabled, pmlocald reconnects to pmmasterd at the end of the session to write the event log record showing the final completion code for the command run by pmlocald. If pmlocald is unable to reconnect, it writes instead to a holding file, pm.eventhold.hostname. It then attempts to write the pmevents.db record to the host the next time pmmasterd connects to pmlocald. Multiple files can accrue and they will all be delivered to the proper host when the connection is restored.

The policy server master daemon typically resides on a secure machine. You can have more than one policy server master daemon on different hosts for redundancy or to serve multiple networks.

pmmasterd logs all errors in a log file if you specify the -e filename option.

Options

pmmasterd has the following options.

Table 32: Options: pmmasterd
Option Description

-a

Sends job acceptance messages to syslog.

-e <filename>

Logs any policy server master daemon errors in the file specified.

-r

Sends job rejection messages to syslog.

-s

Sends any policy server master daemon errors to syslog.

-v

Displays the version number of pmmasterd and exits.

Files
  • Safeguard for Sudo policy file (sudo type): /etc/opt/quest/qpm4u/policy/sudoers

Related Topics

pmcheck

pmkey

pmreplay

Safeguard for Sudo Policy Evaluation

pmplugininfo

Syntax
pmplugininfo -v | -c [-h <host>]
Description

Run the pmplugininfo command on a Sudo Plugin host to display information about the policy server group that the host has joined.

Options

pmplugininfo has the following options.

Table 33: Options: pmplugininfo
Option Description

-c

Displays output in CSV, rather than human-readable format.

-h <hostname>

Specifies the hostname to interrogate for policy group information.

-v

Displays product version and exits.

Examples

The following is an example of the human-readable output:

Joined to a policy group             : YES 
Name of policy group                 : adminGroup1 
Hostname of primary policy server    : adminhost1
Related Topics

Checking the Sudo Plugin configuration status

Sudo policy is not working properly

pmpluginloadcheck

Syntax
pmpluginloadcheck -v  
                     -s|-p|-i [-e <interval>][-t <sec>] 
                    [-c|-f][-b][ -h <master>][-t <sec>] [-a][-r]
Description

The pmpluginloadcheck daemon runs on each Sudo Plugin host and controls load balancing and failover for connections made from the host to the configured policy servers. It runs as a daemon, and is started as needed to verify the status of the configured policy servers.

Information is gathered from a policy server each time a normal sudo session connects to the policy server. This information is used to determine which policy server to use the next time a session is requested. If a host cannot establish a connection to a policy server because, for example, the policy server is offline, then this policy server is marked as offline and no more connections are submitted to this policy server until it is available again. For each policy server that is marked as offline, the pmpluginloadcheck daemon checks at intervals, and attempts to establish a connection with the policy server to determine its current status. If pmpluginloadcheck successfully establishes a session with the policy server, it is marked as online and is made available for normal sudo sessions.

To check the current status of all configured policy servers and display a brief summary of their status, run pmpluginloadcheck with no options. Add the -f option to show full details of each policy server status.

Options

pmpluginloadcheck has the following options.

Table 34: Options: pmpluginloadcheck
Option Description

-a

Verifies the connection as if certificates are configured.

-b

Runs in batch mode.

-c

Reports full details of selected servers in CSV, rather than human-readable format.

-e <interval>

Sets the refresh interval (in minutes).

The default is 60 minutes.

The minimum value is 2 minutes.

-f

Reports full details of data for each policy server (or selected policy server, when using the -h option).

-h <master>

Selects a policy server to verify.

-i

Starts up the pmpluginloadcheck daemon, if it is not already running.

-P

Pause (send SIGUSR1) to a running daemon.

-p

Sends SIGHUP to a running daemon.

-r

Reports last cached data for selected servers instead of connecting.

-s

Stops the pmloadcheck daemon, if it is running.

-t <sec>

Specifies a timeout (in seconds) to use for each connection.

-v

Displays the version string and exits.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen